CVE-2023-33938

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.3.0 through 7.4.0 Liferay DXP 7.3 before update 14

Description A cross-site scripting (XSS) issue exists in the App Builder module's custom object details page, allowing remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an App Builder custom object's Name field.

Recommendations For Liferay Portal versions 7.3.0 through 7.4.0, update to a version outside of the affected range to resolve the issue. For Liferay DXP 7.3, apply update 14 or later to fix the vulnerability. As a temporary workaround, consider restricting access to the App Builder module's custom object details page until a patch is available. Avoid using the Name field in the App Builder custom object until the issue is resolved.